• Hey Webmasters! New Photo Album Service Launched - Check it out!

Ralph Beckon

Development of a Proposal for the Implementation of a Medical Technology Wireless Data Network for St. Mary Hospital

Week 2: August 21, 2005

Tasks

Task 1: Analyze Risk and Security and issues. (Completed)

This week I analyzed risk concerning my wireless network proposal and possible interference with our wireless telemetry system. I also took a closer look at physical and network security issues.

Interference

The first high risk area of concern is with equipment reliability; this risk involves the potential problem of interference with patient medical devices; specifically with the wireless telemetry systems that measure and track patients with heart conditions.

Saint Mary mercy hospital has already restricted the use of cellular telephones and radio transmitters in rooms containing life-sustaining equipment such as equipment found in Intensive Care, Cardiology, Surgery, and Dialysis. The risk question is, can the proposed wireless network system cause interference with patient medical devices not only in these rooms but throughout the hospital?

After careful review I found that the FCC in conjunction with the FDA had completed “The Wireless Medical Telemetry Service” (WMTS) report which in affect orders companies to set aside the frequencies of: 608 to 614 MHz, 1395 to 1400 MHz, and 1429 to 1432 MHz for primary or co-primary use of wireless medical telemetry users. This eliminates the risk that a manufactures unmodified wireless equipment will interfere with Saint Mary Mercy's medical telemetry system. To further validate our protected frequencies the installers of the MTS wireless network can review the FCC statement included with all wireless devices.

A minimal concern is the reliability of the equipment proposed in the wireless system. This is a relatively low risk issues because backups and equipment redundancies can be set in place. A mobile device can be used to collect equipment data and then be synchronized in case of network failures. Another solution is manual data input if a barcode device fails.

Sources:

A). FDA (2002). US Food and Drug Administration.

Wireless Medical Telemetry - About WMTS

Retrieved August 2005 from:

http://www.fda.gov/cdrh/EMC/wmt-about.html

B). FCC rules for wireless medical telemetry devices.

Retrieved August 2005 from:

http://www.fcc.gov/Bureaus/Engineering_Technology/Orders/2000/fcc00211.doc

Security

Security is the second part of this task and involves researching the security of patient data and the possibility of hacking.

MTS employees will occasionally be exposed to a limited amount of private information as established by HIPAA regulations and the policies established by Saint Mary Mercy Hospital. The type of information MTS staff will be exposed to includes, room numbers, the type of equipment used by the patient, certain health conditions that could affect our personal health, and reviewing specific patent waveforms or data. This information could be transmitted across the wireless network. My project proposal will have to address physical, local computer and encrypted wireless transmissions security.

If my project proposal uses low-end access points, our security will be limited to Wired Equivalent Privacy (WEP) and MAC address filters. WEP is a system for encrypting our network data and prevent unauthorized users from gaining access. WEP uses keys that get combined with a keystream that encrypts your data into ciphertext. A corresponding keystream is used to decrypt the data at the receiving end.

WEP authenticates MTS employees so that they can access the network. Both the access point and our Laptops PCMCIA adapter cards need to be configured to use WEP. WEP can use a maximum encryption mode of 128-bits. Hackers that face a WEP system can eventually obtain the encryption key need to unlock access to the data.

Through this research I learned that by using a higher end access point we can utilize Temporal Key Integrity Protocol (TKIP). TKIP works on top of WEP by giving us an extra layer of security and offering stronger security than WEP.

TKIP delivers encryption algorithms and constantly changes the encryption keys making them much more difficult for hackers to capture. Even if a key gets captured the hacker will not have the time to use it because the wireless LAN will be using different encryption keys. TKIP also encrypts the encryption keys making current hacking processes virtually useless.

TKIP is a new technology and some access points and wireless client cards do not support it. I will propose the purchase of TKIP access points for all new installations and using WEP security until upgrades are completed.

A secondary risk of production quality based on staff training has been reduced because the IT staffing has been approved for further security training and this should not pose to be a big risk issue. The production quality as it related to security will also be improved because the key stakeholder has been brought in and involved at an early stage. The technical manager will also be required to review the project details and security issues.

Major accomplishments associated with this task are that I discovered that the FDA has established specific rules and set 14Mhz of frequency for telemetry and wireless medical devices. This fact significantly reduces the risk of interference between the MTS wireless network and our Medical telemetry system.

The other major development revealed through my research is TKIP encryption which will significantly increase the level of wireless security and can enhance and secure Saint Mary's HIPAA compliance. I can now put this risk issue at rest and move on to the next portion of my project defined in week 3.

Sources:

Cisco (2003). Wireless LAN Security White Paper

Retrieved August 2005 from:

http://www.cisco.com/en/US/products/hw/wireless/ps430/products_white_paper09186a00800b469f.shtml

Task 2: Analyze Patient HIPAA Policies. (Completed)

Through my research I found that the HIPPA regulations can be very complex. For the purposes of my project proposal I will define the HIPAA regulations as a means to prevent inappropriate use and disclosure of individuals' health information. This includes the MTS department responsibility to protect that information and the systems that store, transmit, and process it.

HIPAA Security and Privacy requirements apply to almost anyone who has any affiliation to a medical practice and include Health providers, Health plan providers, Healthcare support and supplies organizations, Healthcare business associates, contractors and consultants and researcher who may have person information.

HIPAA Security requires assignment of responsibility for security of health information to ensure integrity and confidentiality of all health care information that is stored or transmitted in any format. Responsibility includes protecting information against reasonably anticipated threats to security or unauthorized uses and disclosures of patient information.

HIPPA also requires implementation and documentation for administrative security procedures, physical security, technical security services and technical security mechanisms. This is usually done by implementation of a HIPAA security and privacy compliance program. A typical compliance program should have a privacy and compliance officer and an oversight committee involving all stakeholders

A complete HIPPA program would address risk issues, training, policy and procedure development, trading partner agreements and compliance review procedures.

HIPAA Violations and non-compliance can involve individuals or organizations and include civil monetary penalties and tough penalties for misuse with knowledge or intent including large fines and even prison terms.

The major accomplishment associated with this task is that I gained a much deeper understanding of the HIPAA regulations. This understanding allows me to develop my proposal taking into consideration HIPPA compliance as it relates to MTS and my project proposal.

Source:

AMMC. Guidelines for Academic Medical Centers on Security and Privacy

Retrieved August 2005 from:

http://www.aamc.org/members/gir/gasp/

Task 3: Analyze wireless compatibility issues. (Completed)

As I began research on compatibility issues I found that we did not have any real issues to deal with. As for hardware compatibility our laptop computers will be upgraded with the PCMIA cards compatible with both the 802.11b standard and TKIP encryption protocols. The access points are either WEP compatible or TKIP compatible.

We use the AIMS database that is based on Microsoft's SQL software. Our laptop computers already have direct access to the hospital backbone; we will only be adding our network to the established wireless network. The barcode readers compatible with our AIMS MTS database. Our current hardware and software will allow direct data input from various barcode readers. Our current wireless infrastructure will allow network communications and compatibility will not an issue.

The major accomplishments associated with this task that our current hardware, software and operating systems will be compatible with the newly proposed barcode readers. This information will significantly simplify any installation of my proposed wireless network system.

Decisions

[What came up that needed to be addressed? Did you run into a problem or roadblock? How did you solve it? What important decisions did you make this week that impacted your project?

As I analyzed the risk issues of security I ran into a potential problem of physical security for our laptop computers. This problem is that even if the computers are on locked they can be wheeled off into locations where the laptops could be disconnected from their security locks. This problem must be addresses in my project proposal.

To solve the security problem several decisions were made that need to be incorporated in the final project proposal. To establish physical security it is advised that the mobile carts be locked in utility closets when not attended for any extended length of time. To establish local security the use of password history, time limits and complexity will be used. To establish network security all transmissions within the MTS wireless network will be required to transmit using WEP encryption

Learning

1) What helpful feedback did you get in the class (instructor, classmates) and outside the class (user, stakeholder, beneficiary, mentor, expert advisor, others)? What did you gain from this feedback?

I received more useful feedback from my projects stakeholder Keith Miller. Keith suggested that I should talk to Becky Barta because she is the MTS database administrator and the chief interface between our database and HIPAA policies and procedures.

Feedback from Becky Barta taught me that our MTS AIMS database has specific markers that identify all equipment that we might check through a wireless network and barcode data input. These markers inform MTS employees that special care must be taken with the results taken from this equipment. Some devices may have confidential printouts or stored data that we must protect and secure.

2) What resources did you use this week (e.g., people, money, equipment, systems, or software)? Did you add new resources? What was your learning?

I used the resources as describes in my project plan and was fortunate to find that Saint Mary Mercy Hospital had a good amount of resources and information tied directly to the exploration of this task and my project proposal.

I added the following resources to develop my project proposal:

a.) Saint Mary Hospital (2003). Notice of Privacy Practices.

Retrieved August 2005 from:

http://www.stmarymercy.org/legal/npp.shtml

I learned that patient information has a limited level of confidentiality that I did not know before. Examples include that information can be disclosed to anyone who is directly involved in a particular patients care including family members who are authorized to make decisions. Legal authorities if r equired by law also have the right to patient information especially is this information can affect the security or well being of a community.

b.) Guidelines for Academic Medical Centers on Security and Privacy

Practical Strategies for Addressing the Health Insurance Portability and Accountability Act (HIPAA)

Retrieved August 2005 from:

http://www.aamc.org/members/gir/gasp/

I learned from this resource that the HIIAA regulations mandate that all medical providers have a privacy officer. The Impact on this project proposal and the MTS employees is that if we have any doubts about patient privacy, confidentiality of information, or the HIPPA guidelines we must seek help from the Privacy officer.

c.) Wi-Fi Planet (2003). Setting Up a Secure Wireless Network

Retrieved August 2005 from:

http://www.wi-fiplanet.com/tutorials/article.php/2233511

This resource added to my project because it helped me obtain a better basic understanding of network security and encryption protocols. The information given here significantly impacted my project by introducing another layer of security known as TKIP as discussed in the task section. This information will be added to the final project proposal.

d.) FCC rules for wireless medical telemetry devices.

Retrieved August 2005 from:

http://www.fcc.gov/Bureaus/Engineering_Technology/Orders/2000/fcc00211.doc

I learned from this the specific rules that govern the use of frequencies specifically those frequencies that can not be used by any wireless equipment manufactures. This added to my project proposal because it reduce the risk issue of interference and explained specific regulations that protect the wireless telemetry systems at Saint Mary Mercy Hospital.

3) What research did you perform this week that was assisting and/or literature based? What was your learning?

I researched HIPPA regulations and I learned what regulations specifically relate to my wireless network proposal. This information adds value to my project because I will be able to incorporate this in the proposal to enhance HIPPA compliance.

I researched physical and network security issues and I learned that layers of security must be established to protect the data that resides on a local mobile level and the information that is transmitted across the network. This research introduced me to TKIP that will now be added as a recommended security protocol in my project proposal.

I researched the rules that govern medical telemetry frequencies and interference and learned that our wireless telemetry network is protected from interference form my proposed wireless network. This knowledge added to my project by reducing the high risk category of interference to a lower level.

I researched wireless compatibility issues and learned that there are no know compatibility issues. This adds to my project proposal by simplifying the installation and deployment process.

Indicators

1) How well did you stick to your project schedule?

I proceeded with my project schedule as planned.

2) How prepared are you to conclude your project in Unit 10 as required in this course?

I do not foresee any problems completing my project as planned.

3) How likely is it that you will need to resort to your contingency plan?

I believe that it is unlikely that I will have to resort to my contingency plan.

Other

I have no other comments at this time.